7G firewall nginx configuration

I had a slow afternoon, so I thought I’d sit down and try to figure this out. If you’re running apache, then its a lot easier to use the apache version: its basically just adding 50 lines to your .htaccess file. And then downloading and configuring a php script to activate logging.

But maybe you want to do it in nginx, so here’s how to do it.

  1. Visit the 7g firewall for nginx page, and download the zip file.
  2. Put the two files somewhere on your server, in the /etc/nginx directory. I put mine in /etc/nginx/7g/7g-firewall.conf and /etc/nginx/7g/7g.conf
  3. The first file needs to be included in /etc/nginx/nginx.conf, somewhere between “http {” and the final “}” I put it at the end, before the final includes. So it looks like this
    #7g firewall 
    include /etc/nginx/7g/7g-firewall.conf;

    # Wildcard include
    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/conf.d/domains/*.conf;
}
  1. The other file needs to be included in the configuration of the site(s) that you want to activate the firewall for. As hestia already has a mechanism for doing this, including any nginx.conf_* files, I just used that. So I copied the file into place. (I decided to do it this way rather than symlinking because of the next step)
cp /etc/nginx/7g/7g.conf /home/user/conf/web/domain.com/nginx.conf_7g 
cp /etc/nginx/7g/7g.conf /home/user/conf/web/domain.com/nginx.ssl.conf_7g
  1. Test the config with nginx -t. If there are no errors then you can ‘systemctl restart nginx’

At this point, you are up and running. You can test it by trying to access https://domain.com/db.sql, for example, and instead of getting a 404, you’ll get a firm 403 forbidden. But I was expecting to see something in my logs, so I decided to set that up, at least for a while so I could see what was going on. There are two further steps in this case.

  1. Add a line which will log the requests to the two files (both of them) you copied to your domain’s conf directory in step 4. Add it at the end of the file before the 403 and 405 stanzas, like this
access_log /var/log/apache2/domains/domain.com.7g.log 7g_log if=${7g_drop};

if ($7g_drop = 1) {
	return 403;
}

if ($7g_drop = 2) {
	return 405;
}
  1. You’ve just told it to log to a separate 7g log if one of the rules has been triggered. And you’ve told it to use the 7g_log format, so you need to tell nginx about that. Back in /etc/nginx/nginx.conf, search for the other log_format directives and add this one in there.
    log_format 7g_log '[$time_local] ["$args"] $remote_addr $http_host "$request" $status $request_time "$http_referer" "$http_user_agent"';

Once again nginx -t will let you know if you’ve messed up the formatting, and if not, you’re good to go and ‘systemctl restart nginx’. When you test the firewall again, you’ll see entries in the new logfile, so its easier to see that its working, and the log file will tell you what rule was triggered, so that if the rule is breaking some functionality on your site, you can disable or modify it.

2 Likes

I do exactly the same in the same way but I modify all files to include a comment with “7g” in the file so si can run:
nginx -T | grep “7g”
I get all the domains configured to use 7g
I have the scripts that do the job if the hestiaCP team want me to submit a PR